When you first started DJing or when you launched your own company, it’s probably fair to say that you didn’t have Data Protection regulations in mind. After all, DJing is a fun job! You don’t have to sit at a desk pushing pens! You get to meet people and play music instead!

However, those of you who’ve been in this game for a while now will know the importance and necessity of admin. Putting together an effective booking system. Keeping on top of enquiries. Choosing the best insurance. It’s all necessary when running a DJ business, no matter how small. And what about Data Protection? Well, it’s just another box to tick on your list of boring admin jobs.

Of course it’s a hot topic at the moment as the new General Data Protection Regulation (GDPR) will come into force on the 25th of May, replacing the previous Data Protection Act. Understandably, there is some confusion over GDPR and what needs to be done to make a business GDPR compliant. While the new rules are primarily aimed at the corporations who hold large amounts of sensitive data, you’d be wrong to think that it only concerns big business. Every business, no matter how small, needs to comply, and breaching these data protection laws can have serious consequences.

However, there is a lot of scaremongering going on at the moment, so it’s important to remember that, according to the ICO (Information Commissioner’s Office): Many of the GDPR’s main concepts and principles are much the same as those in the current Data Protection Act (DPA), so if you are complying properly with the current law then most of your approach to compliance will remain valid under the GDPR and can be the starting point to build from. However, there are new elements and significant enhancements, so you will have to do some things for the first time and some things differently.

Hopefully this article will help to draw your attention to the ‘new elements and enhancements’, as well as recapping things you may already be doing, so that you can make sure your business is compliant in time for the deadline. While the GDPR is quite complex, it’s important to realise that a lot of it won’t apply to a DJ business. On the whole, becoming GDPR compliant is about the organised, efficient and secure storing and processing of personal data. You should be aware of what data you store, how you store it, who you share data with, who has access to it and how you can erase or transfer that data at the request of individuals.

These are the 12 steps we strongly suggest you take to ensure your business is ready for the introduction of GDPR, based on the ICO’s ‘Preparing For GDPR’ guide:

1) Awareness

What the ICO says: “You should make sure that decision makers and key people in your organisation are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have.”

What we say: This step is simple enough, really. Just make sure that anybody you employ or work with is aware of the changes that GDPR will bring about – whether it’s your business partner, your accountant or your roadie. If necessary, show them these steps, so they know exactly what to expect and what’s required.

2) Information you hold

What the ICO says: “You should document personal data you hold, where it came from and who you share it with. You may need to organise an information audit.”

What we say: Personal data is any data that can be used to identify a person. For instance, if you run a multi-op employing other DJs, you will hold personal data on them, such as their address, phone number, email, bank details, etc. Likewise, you will hold personal data on previous and existing customers. You need to protect this information and ensure that information does not leak in any way. The ICO suggests documenting all of this information, including where it came from and who has access to it. In order to protect this personal data, you may need to keep paper records in a locked cabinet and password protect documents, spread sheets and files.

3) Communicating privacy information

What the ICO says: “You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.”

What we say: You will probably have seen privacy notices when you’ve entered a website or signed up for an email newsletter. GDPR requires you to review your privacy notices and make sure they’re up to date. Using cookies on your website? You need to tell your visitors when they access your website. Running an enquiry submission form that requires a potential client to enter their email address or phone number? You need them to agree to your privacy policy (usually by ticking a check box). If you don’t have a privacy policy, then there are free online templates that you can download and use as the basis for your own policy. (The basics of any privacy notice should include: who you are; what you are going to do with the person’s information; and who it will be shared with.)

4) Individuals’ rights

What the ICO says: “You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.”

What we say: Basically, you need to review how your data-storing system can react to the requests of individuals. If, for instance, a bride whose wedding you DJed asks for all of her data to be erased (as is her right under GDPR), do you have the means to locate it and delete it efficiently? Data portability is also something to bear in mind. Should you need to send data to an individual at their request, is it stored in a way that’s easily accessible and transferable?

5) Subject access requests

What the ICO says: “You should update your procedures and plan how you will handle requests within the new timescales and provide any additional information.”

What we say: This essentially leads on from point 4. Should an individual make an ‘access request’ (ask what data you hold on them) you need to ensure that you can respond to and fulfil this request within the new timescales. So, let’s say that the bride from point 4 instead asks you to provide a copy of the personal data you hold on her, you will have one month to comply. If you feel the request is unfounded or excessive, you can refuse or even charge for the request. If you do refuse, you must tell the individual why and they will have the right to complain to the ICO.

6) Lawful basis for processing personal data

What the ICO says: “You should identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it.”

What we say: This point takes a little unravelling, but it’s basically about ‘consent’ being your lawful basis for processing data (there are others, but these are less likely to apply to a DJ business). Let’s think back to your enquiry submission form: when your potential client ticks that check box to say they’ve read your privacy policy, they’re essentially consenting to you processing their data and using it to contact them about DJing at their event. So, ‘consent’ is the lawful basis for processing their data. On the other hand, if another supplier gave you a client’s data you may not have a lawful basis for using it (unless they were specifically informed that their data would be shared). You should review the ways in which you collect and process data, and document your lawful basis for doing so. This will help you comply with GDPR’s accountability requirements.

7) Consent

What the ICO says: “You should review how you seek, record and manage consent andwhether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard.”

What we say: The key instruction here is to “refresh existing consents now if they don’t meet the GDPR standard”. If you're gathering people’s data by means that are no longer compliant, you need to update your procedures and ensure that people consent unambiguously to you processing their data! So, let’s say by completing your enquiry form a customer is automatically added to your mailing list. You’ll now need to update this so that the customer checks an ‘opt-in’ box and agrees to your privacy policy before you add them to your list (the GDPR guidelines specifically state that a ‘pre-ticked box’ is not acceptable for gaining consent).

8) Children

What the ICO says: “You should start thinking now about whether you need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity.”

What we say: In all honesty, this shouldn’t affect mobile DJs. I mean, how many under-16s are booking a mobile DJ for an event? Probably not many. But it could happen and it’s still something that requires your time and consideration. If you gather data via consent, you should bear in mind that if an individual is under 16, you will need parental consent in order to process information about them. This should be written into your privacy policy and should use language that can be easily understood by children. A checkbox requiring an individual to confirm their age as 16+ is a way to ensure you are compliant.

9) Data breaches

What the ICO says: “You should make sure you have the right procedures in place to detect, report and investigate a personal data breach.”

What we say: Obviously, the aim of all of this is to avoid data breaches completely by securely storing and protecting the information you hold (see point 2). The GDPR also requires you to have procedures in place that allow you to “detect, report and investigate” personal data breaches. If the breach could result in discrimination, damage to reputation, financial loss, loss of confidentiality, or any other significant economic or social disadvantage, you will need to notify the ICO as well as the individuals concerned. In reality the sort of data that you hold is not likely to have such an impact, but it’s still worth taking into consideration.

10) Data Protection by Design and Data Protection Impact Assessments

What the ICO says: “You should familiarise yourself now with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party, and work out how and when to implement them in your organisation.”

What we say: Going forward, you should design new systems and procedures with data protection in mind. If you’re storing and processing personal data, you need to ensure that it complies with GDPR. This is ‘data protection by design’. Sometimes, a DPIA (Data Protection Impact Assessment) will be mandatory – usually where data processing could pose a high risk to individuals. Are the users of DJ and event services likely to be put at risk by your processing their data? Probably not, but it helps to be aware.

11) Data Protection Officers

What the ICO says: “You should designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. You should consider whether you are required to formally designate a Data Protection Officer.”

What we say: This one’s simple enough. If you’re a mobile DJ running your business alone, then it’s obviously going to be you who has to deal with data protection. If you’re a multi-op with other members of staff, have a think about who would be best to fulfil this role. Do you have an Office Manager who already deals with your admin? Perhaps he or she would be best suited. On the other hand, you might trust yourself to keep on top of it. Certain organisations will be required by law to designate a Data Protection Officer, but it is unlikely this will apply to any mobile DJ business.

12) International

What the ICO says: “If your organisation operates in more than one EU member state (i.e. you carry out cross-border processing), you should determine your lead data protection supervisory authority.”

What we say: Some of you will take your DJ work abroad, which is great! But unless your ‘main establishment’ – i.e. your registered office – is abroad or you work abroad permanently, this point is unlikely to affect you. Basically, your lead data protection supervisory authority should be local to the EU state you’re based in (in the UK, that’s the ICO). Recently moved abroad and have taken your mobile DJ work with you? You’ll need to find out which supervisory authority applies to you.

More information and advice on becoming GDPR compliant can be found on the ICO website (whose detailed guide formed the basis of this article): ico.org.uk